[NODE-4297] upgrade kerberos dependency to use only ansi-regex ^6.0.1 due to Security Vulnerability - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Unknown
Resolution: Done
Affects Version/s: kerberos-1.1.7, kerberos-2.0.0
Fix Version/s: kerberos-2.0.1
Component/s: None
Labels:
- external-user

Story Points:
2

Documentation Changes:
Not Needed

Description

Summary

Security Vulnerabilities in kerberos 2.0.0

This vulnerability comes from ansi-regex@2.1.1, which is a transitive dependency.
the solution is to upgrade depndency

Motivation

How does this affect the end user?

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns{{ [\\]()#;?}} and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_])*.

Is this issue urgent?

yes, possible ReDoS

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807

Attachments

Issue Links

depends on

NODE-4298 Investigate NODE-4297 - upgrade kerberos dependency to use only ansi-regex ^6.0.1 due to Security Vulnerability

Closed

Sub-Tasks

1.	Upgrade prebuild-install to 7.1.1 for FLE bindings v2	NODE-4372		Closed	Neal Beeken
2.	Upgrade prebuild-install to 7.1.1 for Keberos v2	NODE-4373		Closed	Neal Beeken

Activity

People

Assignee:: Neal Beeken

Reporter:: Hadas Moscovici

Reviewers:: Neal Beeken

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: Jun 06 2022 03:07:44 PM UTC

Updated:: Mar 16 2023 11:22:49 PM UTC

Resolved:: Jul 01 2022 02:31:41 PM UTC